munch007
asked on
DNS Problem
We have two Windows 2003 servers that function as domain controllers and DNS servers. For DNS, they log entries for local workstations and point to our ISP for web name resolution. About a week ago, no client can access www.yahoo.com. Check with our ISP and they report OK (also changed my DNS settings to their servers on my local workstation and can access yahoo). From what I understand, flushing the DNS cache on both servers should fix the problem, but I want to know (1) why this should matter if it's pointing out to the ISP for the info anyway and (2) what ramifications are of flushing the cache.
Thanks!
Thanks!
ASKER
>>Flushed DNS cache and still cannot get to<<
I allready though that this wasn't going to solve the problem...
If you go to the DNS server, are you able to go to other sites??? Browse the internet?? And what's between your server and the internet??
I allready though that this wasn't going to solve the problem...
If you go to the DNS server, are you able to go to other sites??? Browse the internet?? And what's between your server and the internet??
Also, when you reboot the server, this flushes the cache.
The reason this happens at time is that sites such as Yahoo have many Web servers. If you go to the site, the DNS server will store the IP/DNS name in the cache. If that specific server from Yahoo goes down, then the entry in the cache is wrong and will give it's clients the wrong information. So by flushing the cache on the server will allow it to get rid of the wrong information.
The reason this happens at time is that sites such as Yahoo have many Web servers. If you go to the site, the DNS server will store the IP/DNS name in the cache. If that specific server from Yahoo goes down, then the entry in the cache is wrong and will give it's clients the wrong information. So by flushing the cache on the server will allow it to get rid of the wrong information.
Your DNS settings are incorrect. For an AD domain to work properly, your domain members have to use your internal DNS *only*, and use the root hints or forwarders for external lookups.
The following settings should correct the issue:
*** TCP/IP-Settings ***
* On your first DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
* On your second DC, let it point to the first DC as primary, to itself as secondary.
* On your domain members, enter both DCs as primary and secondary DNS.
* Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS servers *only*.
*** DNS Server Settings ***
* Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
* Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
* In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
* It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).
Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
For further troubleshooting, you can use dcdiag.exe and netdiag.exe to check your system for errors in the domain setup.
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567
How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515
How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811
How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861
SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897
The following settings should correct the issue:
*** TCP/IP-Settings ***
* On your first DC/DNS, make sure the only DNS listed in the TCP/IP properties is itself.
* On your second DC, let it point to the first DC as primary, to itself as secondary.
* On your domain members, enter both DCs as primary and secondary DNS.
* Do NOT enter your ISP's DNS server in the TCP/IP settings on any domain member. All DNS resolution needs to be done by your internal DNS servers *only*.
*** DNS Server Settings ***
* Delete the root zone (if present) in your DNS servers' forward lookup zones (the single dot, "."), to enable external lookups.
* Right-click your forward and reverse lookup zones, go to Properties, and make sure that Dynamic Updates are enabled.
* In the properties page of your DNS servers, configure forwarders to point to your ISP's DNS. The forwarders section is the *only* entry in your network where your ISP's DNS should be listed.
* It's recommended (but not necessary) to set your zones to Active Directory integrated (this can be done in the properties of the zones as well).
Once you've checked this, open a command prompt and enter "ipconfig /registerdns", then stop and re-start the netlogon service. Check if the SRV records have been created (see link below).
For further troubleshooting, you can use dcdiag.exe and netdiag.exe to check your system for errors in the domain setup.
Frequently Asked Questions About Windows 2000 DNS and Windows Server 2003 DNS
http://support.microsoft.com/?kbid=291382
Best practices for DNS client settings in Windows 2000 Server and in Windows Server 2003
http://support.microsoft.com/?kbid=825036
HOW TO: Configure DNS for Internet Access in Windows Server 2003
http://support.microsoft.com/?kbid=323380
HOW TO: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003
http://support.microsoft.com/?kbid=816567
How to Verify the Creation of SRV Records for a Domain Controller
http://support.microsoft.com/?kbid=241515
How Domain Controllers Are Located in Windows
http://support.microsoft.com/?kbid=247811
How Domain Controllers Are Located in Windows XP
http://support.microsoft.com/?kbid=314861
SRV Resource Records May Not Be Created on Domain Controller
http://support.microsoft.com/?kbid=239897
ASKER
I can browse to any website (as far as I can tell) on the DNS server, clients, etc. Cisco PIX firewall is between DNS server and internet.
ASKER
Checked all settings mentioned by oBdA. All are correct, ISP's servers only appear on the forwarders tab. I just temp changed my local DNS to my ISP to test.
how do they connect to www.yahoo.com ? NAT/Routed/Proxy?
what was the error messages, when not reaching www.yahoo.com?
what was the error messages, when not reaching www.yahoo.com?
ASKER
A user's internet permission is granted thru our firewall...once I permit the IP in the firewall they can connect. We also have a proxy server, but users cannot connect to yahoo thru it either. Error is "cannot find yahoo.com" Cannot ping the site either.
btw, for caching reasons, one dns should forward to the second. only the second should forward to internet.
no one of your dns servers has a "." zone?
did you update the root hints file sometimes?
which dns servers are your dc's using?
no one of your dns servers has a "." zone?
did you update the root hints file sometimes?
which dns servers are your dc's using?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks!
So it did solve your problem??? Glad to here..
ASKER
Worked like a champ! I appreciate the help
Ur welcome...
Thanks so much for this solution!!!! It solved my problem too. I was having trouble with people getting to sites like CNN.com and Ebay.com, and it was just driving me mad and causing me to question everything I knew about setting up DNS. Thanks again! Here is also another link that has a solution about how to tell Windows 2003 to use a 512-byte UDP packet without totally disabling all the EDNS0 features.
http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html
http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-edns0-and-firewalls.html
DNS servers keep a cache of the Domain names that are resolved. If your server has a wrong DNS entry in his cache (every machine has cache) it will falsly resolve. So the flushdns option will flush the local DNS cache the machine has.
This will ave absolutely no effect on performance or anything else on your servers. You can do this without woorying about anything. The server will start creating a new local cache by resolving the domain names....